Presentation is loading. Please wait.

Presentation is loading. Please wait.

MultiTenancy - an Introduction for Techies Timothy D. Kuehn Senior OpenEdge Consultant TDK Consulting Services Inc

Published byNoah Harmon Modified over 8 years ago

Similar presentations

Presentation on theme: "MultiTenancy - an Introduction for Techies Timothy D. Kuehn Senior OpenEdge Consultant TDK Consulting Services Inc"— Presentation transcript:

1 MultiTenancy - an Introduction for Techies Timothy D. Kuehn Senior OpenEdge Consultant TDK Consulting Services Inc timk@tdkcs.catimk@tdkcs.ca tim.kuehn@gmail.com Ph 519-576-8100 Cell: 519-781-0081

2 MultiTenancy For Developers Storage Area Structures Type I: Inventory Data Inventory Index Order Data Order Data Order Index Inventory Index Inventory Data Type II: Inventory Data Inventory Index Inventory BLOB Cluster TDK Consulting Services Inc

3 MultiTenancy For Developers Storage Structures MultiTenant Table in Type II Storage Area Tenant: Coyote Inventory Data Cluster Inventory Index Cluster Inventory BLOB Cluster Tenant: Road Runner Inventory Data Cluster Inventory Index Cluster Inventory BLOB Cluster Tenant: Balto Inventory Data Cluster Inventory Index Cluster Inventory BLOB Cluster TDK Consulting Services Inc

4 MultiTenancy For Developers Storage Structures MultiTenant Groups All tenants have their own distinct “inventory” table partition Viewers Since Balto is not a group member, he gets his own “viewers” partition. Viewers What happens when a group has no tenant members…. Tenant: Coyote Tenant: Road Runner Inventory Viewers Tenants in a group share access to a single data partition of the “viewers” table Tenant: Balto Inventory TDK Consulting Services Inc

5 MultiTenancy For Developers Storage Structures Shared Tables Tenant: Coyote Tenant: Road Runner Inventory Viewers Tenant: Balto InventoryViewers Geographic Information System Data Everyone sees and updates the same table at the same time MultiTenant Tables Shared Tables TDK Consulting Services Inc

6 “Global Shared Sequence” -> Same as current sequence, all tenant users see the same value “MultiTenant Sequence” -> Each tenant gets their own sequence MultiTenancy For Developers Database Sequences TDK Consulting Services Inc

7 MultiTenancy For Developers Database Sequences Tenant: Coyote Tenant: Road Runner Inventory ID Global Shared Sequence Inventory ID MT Sequence Viewer ID All other Tenants: Inventory ID ….. The counter increments at the same time and has the same value for all tenants Each tenant gets their own counter. Each tenant’s counter increments independent of all other tenant’s counters TDK Consulting Services Inc

8 Domains - Are collections of users within a tenant Determines which tenant’s data a user has access to Determines how users are authenticated Controls user access MultiTenancy For Developers (Security) Domains TDK Consulting Services Inc

9 Domain Rules: Must be associated with a database tenant Must be unique across all database tenants Must have an authentication configuration The “” (blank) domain is the ‘default’ domain Names can be up to 64 chars long MultiTenancy For Developers (Security) Domains TDK Consulting Services Inc

10 MultiTenancy For Developers Domains Inventory Viewer Inventory Sequence research.coyote.com fabrication.coyote.com research.roadrunner.com tactics.roadrunner.com Domains Inventory Sequence Tenant: Coyote Tenant: Road Runner TDK Consulting Services Inc

11 MultiTenancy For Developers Users User Rules - Are identified within a domain Must be unique within domain Can have the same name in multiple domains (even within the same tenant) Best Practices: Match development login user tenant with the type of user who’ll be using the data TDK Consulting Services Inc

12 MultiTenancy For Developers Users Inventory Viewer Inventory Sequence secret@research.coyote.com welder@fabrication.coyote.com secret@research.roadrunner.com survival@tactics.roadrunner.com User@Domain Inventory Sequence Tenant: Coyote Tenant: Road Runner TDK Consulting Services Inc

13 Authentication is the process performed by an authentication system to validate a user's asserted identity and determine their abilities and rights to access data sources. Authentication process is defined at the domain level. _oeusertable: Authenticate using the _user table (-U –P) _oslocal: Authenticate using the OS _extsso: External Single Sign-on {userdefined}: 11.0 -> same as _extsso, 11.1: SSO & ABL Notes: _user can be configured for access by SQL92 only _oslocal executes whever the AVM session runs MultiTenancy For Developers Authentication TDK Consulting Services Inc

14 Authentication layers _oslocal _oeusertable OE SQLOE ABL OE MT DB proutil OS How does the AVM know when a session has been authenticated? Can authenticate using the OS identity or the _user table MultiTenancy For Developers Authentication TDK Consulting Services Inc

15 Client-Principal: A security token containing trusted user credentials that establish user identity for an ABL session and database connection(s). Types of CP objects: MultiTenancy For Developers Client-Principal TypeDescription UnsealedThe CP object information has not been authenticated and can be changed. (See the “LOGIN-STATE” attribute for more details) SealedCP object values have been set to authenticate access to the user@domain’s tenant, then converted to a tamper- proof token that can’t be changed. TDK Consulting Services Inc

16 MultiTenancy For Developers Establishing a Session Receive login information Authenticate Create sealed CP object Store CP object in a safe place Create session token Return session token TDK Consulting Services Inc

17 MultiTenancy For Developers Session Service Call Pass session token to service Validate session token Get session’s CP object Assert identity Perform work Return results to caller TDK Consulting Services Inc

18 MultiTenancy For Developers Remote Session Server Call Pass session token to service Validate session token Get session’s CP object Assert identityPerform work Return results to caller Pass CP to remote server TDK Consulting Services Inc

19 MultiTenancy For Developers Using Client-Principal to Establish Tenancy RUN Authenticate.p(user-id, domain, userpassword, OUTPUT is-ok). IF NOT is-ok THEN LEAVE. CREATE CLIENT-PRINCIPAL hCP. hCP:INITIALIZE(user-id + “@” + domain). hCP:SEAL(DomainAccessCode). IF is-remote THEN op-raw = hCP:EXPORT-PRINCIPAL(). IF is-local THEN SET-DB-CLIENT(hCP). For more on the CP object, see “OE Getting Started: Core Business Services” page 4-9ff See _Domain._Domain-Access-Code TDK Consulting Services Inc

20 MultiTenancy For Developers What happens on identity switch? welder@fabrication.coyote.com secret@research.roadrunner.com Tenant: W.E. CoyoteTenant: RoadRunner TDK Consulting Services Inc

21 MultiTenancy For Developers What happens on identity switch? welder@fabrication.coyote.com Tenant: W.E. Coyote secret@research.roadrunner.com Tenant: RoadRunner Tenant Tables and Sequences Viewers Geographic Information System Data TDK Consulting Services Inc

22 MultiTenancy For Developers What happens on identity switch? Geographic Information System Data Viewers Tenant Tables and Sequences owner@balto.com Tenant: Balto TDK Consulting Services Inc

23 Other things remember: All database buffers and queries are invalidated Prodatasets, temp tables, variables, and shared variables retain their state Prodatasets, temp-tables, and variables do NOT track tenant identity MultiTenancy For Developers What happens on identity switch? TDK Consulting Services Inc

24 MultiTenancy For Developers the story continues… TDK Consulting Services Inc

25 MultiTenancy For Developers How can tenants share data? Tenant: Balto InventoryViewers Tenant: Coyote Tenant: Road Runner Inventory Viewers The Riddler has a riddle for you… TDK Consulting Services Inc

26 MultiTenancy For Developers Introducing the Supertenant TDK Consulting Services Inc

27 MultiTenancy For Developers Finding the Supertenant Tenant: Balto InventoryViewers Tenant: Coyote Tenant: Road Runner Inventory Viewers Tenant: Super Effective Id defaults to “default” tenant on login Tenant: Default InventoryViewers TDK Consulting Services Inc

28 MultiTenancy For Developers Creating and Using the Supertenant 1.Create a “Super” Tenant 2.Create a security domain in the super tenant 3.Create a user in the super tenant domain 4.Login and do work TDK Consulting Services Inc

29 MultiTenancy For Developers Being the Supertenant: VSTs FieldDescr _Tenant-NameUnique name for tenant _TenantIDSystem applied ID. Super Tenant, = 0 -> Default Tenant, > 0 -> Regular Tenant _Tenant-DescriptionUser entered description _Tenant-TypeInternal Use _Tenant-Attributes[64]PSC Used Flags _Tenant-Data-Area-DefaultDefault storage area for data _Tenant-Index-Area-DefaultDefault storage area for indexes _Tenant-Lob-Area-DefaultDefault storage area for LOBs _Tenant-Sequence-BlockStorage area for sequences Table: _Tenant TDK Consulting Services Inc

30 MultiTenancy For Developers Being the Supertenant: VSTs FieldDescr _Domain-NameName of the security domain _Domain-TypeInternal Use _Domain-EnabledIs domain enabled for user access? _Auditing-ContextUser supplied information recorded in the auditing’s _auditing-context field _Domain-Access-CodeUsed to validate the CP authenticity “seal” before it will be used and used to verify that the CP has access to the current domain _Tenant-NameSame as _Tenant._Tenant-Name Table: _sec-Authentication-Domain TDK Consulting Services Inc

31 MultiTenancy For Developers Being the Supertenant: VSTs FieldDescr _UserIDSystem assigned ID _Domain-NameName of the Domain this user belongs to _User-NameName of the user _PasswordUser’s Password _TenantIDSame as _Tenant._TenantID Table: _User Note: _user’s primary index has changed to _userid + _domain_name TDK Consulting Services Inc

32 MultiTenancy For Developers Being the Supertenant: VSTs FieldDescr _Domain-NameName of domain that uses this system _Domain-TypeUsed internally to link _sec-authentication-domain to _sec-authentication-system _PAM-Module-NameDesignates the authentication system that supports authentication to user accounts using external user account software _PAM_Callback_ProcedurePath to the ABL procedure to run when OE performs user authentication / SSO inside of SET-DB-CLIENT() and SECURITY-POLICY:SET-CLIENT() Table: _sec-Authentication-System TDK Consulting Services Inc

33 MultiTenancy For Developers Being the Supertenant: VST Relationships _Tenant_Domain _Tenant-Name _sec-Authentication-System _Domain-Name _User _Domain-Name MultiTenant Schema Table Relationships _TenantID Reserved for use by PSC TDK Consulting Services Inc Also: _partition-set and _partition-set-detail – See MT Abl pg 213

34 MultiTenancy For Developers Being the Supertenant: Language Additions See Chapter 3: MultiTenant OE Development Programming Interfaces TDK Consulting Services Inc Language ElementTypeNotes IS-DB-MULTI-TENANT()Function IS-MULTI-TENANTProperty SET-EFFECTIVE-TENANT()FunctionDoes not invalidate current buffers, Undo does not reset EFF TNT GET-EFFECTIVE-TENANT-ID()Function GET-EFFECTIVE-TENANT- NAME() Function TENANT-NAME-TO-ID()FunctionConvert Tenant Name to an ID TENANT-ID()FunctionDB connection tenant ID TENANT-NAME()FunctionDB connection tenant Name CREATE … FOR TENANTStatementCreate record for specific tenant BUFFER-CREATEMethodCreate record for specific Tenant

35 MultiTenancy For Developers Being the Supertenant: Language Additions See Chapter 3: MultiTenant OE Development Programming Interfaces TDK Consulting Services Inc Language ElementTypeNotes BUFFER-TENANT-IDAttributeAssociated with a buffer BUFFER-TENANT-ID()FunctionAssociated with a buffer BUFFER-TENANT-NAMEAttributeAssociated with a buffer BUFFER-TENANT-NAME()FunctionAssociated with a buffer REPOSITION qrynme TO ROWID AttributeCan reposition a query to a rowID in a tenant table REPOSITION query TO ROWID() MethodCan reposition a query to a rowID in a tenant table TENANT-WHEREClauseUsed in a FOR EACH to read records from multiple tenants SKIP-GROUP-DUPLICATESClauseProcess a GROUP table once

36 MultiTenancy For Developers Being the Supertenant: MakingThingsEasier TDK Consulting Services Inc MT API

37 MultiTenancy For Developers Being the Supertenant: Things to Remember! Things to remember: 1.Each tenant’s partition is distinct, so table key values will be unique for a tenant/group and a table only 2.ROWID’s are unique to a tenant and area only. 3.Each record of a MT table has an identifier can be used to link it to a tenant via a BUFFER-TENANT-* call/reference 4.Tenant ID, like ROWID and RECID, is not guaranteed to remain the same across a D&L or tenant migration, and should only be used within a single AVM session. TDK Consulting Services Inc

38 MultiTenancy For Developers MT and Super Tenant Gotcha’s TDK Consulting Services Inc

39 MultiTenancy For Developers MT and Super Tenant Gotcha’s Requires ability to map single application structures to meta-application structures Tenant: Coyote Tenant: Road Runner Inventory Viewers Geographic Information System Data Viewers Tenant: Balto Inventory TDK Consulting Services Inc

40 MultiTenancy For Developers MT and Super Tenant Gotcha’s! External file, directory, and service collision avoidance /tmp Tenant: Coyote Tenant: Road Runner Inventory Viewers TDK Consulting Services Inc

41 MultiTenancy For Developers The Riddler Says: Questions Anyone? Questions…? TDK Consulting Services Inc

42 MultiTenancy For Developers Thank you for your time! TDK Consulting Services Inc This presentation brought to you by: Tim Kuehn Senior OpenEdge Consultant TDK Consulting Services Inc. 519-576-8100 tim.kuehn@gmail.comtim.kuehn@gmail.com

Download ppt "MultiTenancy - an Introduction for Techies Timothy D. Kuehn Senior OpenEdge Consultant TDK Consulting Services Inc"

Similar presentations

The VeriTrak Enterprise Application Created for The Verification Company By CTO Source, Inc. This presentation provides an overview of the system and links.

The VeriTrak Enterprise Application Created for The Verification Company By CTO Source, Inc. This presentation provides an overview of the system and links.
Client Principal in the wild

Client Principal in the wild
Introduction to the ABAP Data Dictionary

Introduction to the ABAP Data Dictionary
OpenEdge ABL Multi-Tenancy ABL Multi-Tenant Programming Mary Szekely OpenEdge Fellow June 2011.

OpenEdge ABL Multi-Tenancy ABL Multi-Tenant Programming Mary Szekely OpenEdge Fellow June 2011.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Databases & Data Warehouses Chapter 3 Database Processing.

Databases & Data Warehouses Chapter 3 Database Processing.
Overview What is SQL Server? Creating databases Administration Security Backup.

Overview What is SQL Server? Creating databases Administration Security Backup.
Web Development Challenges and How They are Solved in ps:eScript Matt Verrinder Progress Software UK Internet & Integration Technologies.

Web Development Challenges and How They are Solved in ps:eScript Matt Verrinder Progress Software UK Internet & Integration Technologies.
Coding with Identity Management & Security Part 2 of Identity Management with OpenEdge Peter Judge OpenEdge Development

Coding with Identity Management & Security Part 2 of Identity Management with OpenEdge Peter Judge OpenEdge Development
DB-19: OpenEdge® Authentication Without the _User Table

DB-19: OpenEdge® Authentication Without the _User Table
Identity Management Basics Part 1 of Identity Management with OpenEdge Peter Judge OpenEdge Development

Identity Management Basics Part 1 of Identity Management with OpenEdge Peter Judge OpenEdge Development
Database System Concepts and Architecture Lecture # 3 22 June 2012 National University of Computer and Emerging Sciences.

Database System Concepts and Architecture Lecture # 3 22 June 2012 National University of Computer and Emerging Sciences.
Module 3: Table Selection

Module 3: Table Selection
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
ASP.NET Programming with C# and SQL Server First Edition

ASP.NET Programming with C# and SQL Server First Edition
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.

PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.

Similar presentations

Ads by Google